DEV Community

Cover image for SvelteKit Changes: Cookies and Authentication

SvelteKit Changes: Cookies and Authentication

Shivam Meena on September 21, 2022

Introduction In this article, We going to talk about cookies in sveltekit and learn how to handle authentication with Cookies after svel...
Collapse
 
bato3 profile image
bato3

Never, Never NEVER !!!!!11111one one one

Don't set raw userId as auth data: cookies.set('session', user.entityId, - It's an easy way to hijack your administrator account.

Important data should be signed, eg use cookie-signature or put data in JWT / unique UUID for session

Collapse
 
kolja profile image
Kolja

Thanks for this important hint.

Can you explain it a little further, or give me a link?

Collapse
 
bato3 profile image
bato3

You must remember that any value can be modified in such a way as to harm your application. In this case, after logging in, your id is provided and your permissions are retrieved based on this.
The attacker can craft the message and gain administrator privileges.

Thread Thread
 
theether0 profile image
Shivam Meena

Yeah that's true. Have a look at project.

Collapse
 
theether0 profile image
Shivam Meena

I'm not sure this will help you or not
Github - EtherCare

Collapse
 
theether0 profile image
Shivam Meena

I'll use token or jwt for this kind of thing. This project is for testing redis as primary db so i did that.

Collapse
 
bato3 profile image
bato3

Ok, you won't that, but don't show bad behavior. Some _script-kid _will copy it mindlessly, and then there will be crying and gnashing of teeth ...

Thread Thread
 
theether0 profile image
Shivam Meena • Edited

Don't worry I'll be pushing my whole project this weekend which might be helpful and i would love if you suggest something after those changes. But json tokens are easy to crack.

Collapse
 
oyenmwen profile image
Osayimwen Odia

Thank you. Couldn't figure out how to use the Cookies. I was about to lose my mind

Collapse
 
theether0 profile image
Shivam Meena

Happy to help🤩

Collapse
 
jj_squid profile image
JJ

Ayo uhhhhh definitely don’t do that with your stores. You’re setting a store value to a global variable. If that gets called/ran by the server side you’re toast lol. Extremely dangerous. Everybody now has everyone else’s info.

Collapse
 
theether0 profile image
Shivam Meena

I know what you saying, for e.g. i'm assigning locals data to users store after data is validated from sever and cleared even if it's server side rendered it won't going to cause problem but there are scenario's where it's way more dangerous.

Collapse
 
shinokada profile image
shin

Do you have a example repo for this tut?

Collapse
 
theether0 profile image
Shivam Meena